Masters

Configuring master nodes in a Dianemo Kubernetes cluster is a two part process:

  • configuring the Dianemo specific options
  • and configuring the Kubernetes specific options

To get started, create a YAML file we will use in the following steps:

touch <node-name>.yaml

Configuring Dianemo

Injecting the Dianemo PKI

Using osctl, and our output from the PKI instructions, inject the generated PKI into the configuration file:

osctl inject os --crt <organization>.crt --key <organization>.key <node-name>.yaml
osctl inject identity --crt <node-name>.crt --key <node-name>.key <node-name>.yaml

You should see the following fields populated:

security:
  os:
    ca:
      crt: <base 64 encoded root public certificate>
      key: <base 64 encoded root private key>
    identity:
      crt: <base 64 encoded identity public certificate>
      key: <base 64 encoded identity private key>
  ...

Configuring trustd

Each master node participates as a Root of Trust in the cluster. The responsibilities of trustd include:

  • certificate as a service
  • and Kubernetes PKI distribution amongst master nodes

The auth done between trustd and a client is, for now, a simple username and password combination. Having these credentials gives a client the power to request a certifcate that identifies itself. In the <node-name>.yaml, add the follwing:

security:
...
services:
  ...
  trustd:
    username: <username>
    password: <password>
  ...

Configuring Kubernetes

Generating the Root CA

To create the root CA for the Kubernetes cluster, run:

osctl gen ca --rsa --hours <hours> --organization <kubernetes-organization>

Note: The --rsa flag is required for the generation of the Kubernetes CA.

Injecting the Kubernetes PKI

Using osctl, inject the generated PKI into the configuration file:

osctl inject kubernetes --crt <kubernetes-organization>.crt --key <kubernetes-organization>.key <node-name>.yaml

You should see the following fields populated:

security:
  ...
  kubernetes:
    ca:
      crt: <base 64 encoded root public certificate>
      key: <base 64 encoded root private key>
  ...

Configuring Kubeadm

The configuration of the kubeadm service is done in two parts:

  • supplying the Dianemo specific options
  • supplying the kubeadm InitConfiguration

Dianemo Specific Options

services:
  ...
  kubeadm:
    init:
      type: initial
      etcdMemberName: <member-name>
  ...

Kubeadm Specific Options

services:
  ...
  kubeadm:
    ...
    configuration: |
      apiVersion: kubeadm.k8s.io/v1alpha3
      kind: InitConfiguration
      ...
  ...

See the official documentation for the options available in InitConfiguration.